Just to clarify: if you mean something like phps mysql(real)escapestring; that is not the recommended way to execute queries. What you would instead do (as a previous answer already stated) is create a prepared statement, which tells the sql server “here is a query with some holes for values in it, and I will give you those values later”, and execute the statement with those values. This way, the sql server knows exactly what is part of the query and what is part of the code, and there is much less chance of any injection attempts getting through.

Apologies if this is super on-the-nose/you knew that already, I just think it bears repeating

im using sqlite library. I saw the rusqlite project but I have written a lot of stuff using sqlite already and I running against a deadline o its not exactly the best Tim for me to change all the code I wrote specific to the sqlite library